Malicious PDF — malware analysis report

Static analysis result for SHA-256 e03221ab53298287…

MALICIOUS

PDF

73.5 KB Created: 2021-03-18 02:24:07 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 389d6d91be7d0a50c161f84210a322f8 SHA-1: 5bb21ca9bb876d7f58590bda5aa78156d1c5847e SHA-256: e03221ab532982871334d0f4604d0cac7cfc0eacf1b38e09b3024f4b3dccc5e8
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains numerous external links, suggesting it is part of a link farm or phishing operation. The primary malicious URL identified is https://golowaki.ru/wix?keyword=witchery+vampirism+levels, which is likely used to redirect users to further malicious content. The document's structure and embedded links indicate a phishing or SEO spam attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://golowaki.ru/wix?keyword=witchery+vampirism+levels
    • https://cdn.sqhk.co/leloxoreje/Cejgkja/lazevosapozafavu.pdf
    • https://soguleta.weebly.com/uploads/1/3/4/3/134305846/xafukulij.pdf
    • https://cdn.sqhk.co/tobamozusaj/ihEgjQX/como_facturar_mis_recargas_movistar.pdf
    • https://cdn.sqhk.co/navolakolire/3jeZ7bk/js_ajax_zip_file.pdf
    • https://fotunerabo.weebly.com/uploads/1/3/4/0/134042859/3930391.pdf
    • https://cdn.sqhk.co/jasojime/gidgibd/zigipepuvevozetafidosuvaw.pdf
    • https://teraxamexad.weebly.com/uploads/1/3/1/3/131380600/76211138c08c61.pdf
    • https://sabizedikidoxar.weebly.com/uploads/1/3/2/6/132681903/8936037.pdf
    • https://tidosivapozagul.weebly.com/uploads/1/3/4/3/134390518/fevirar.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/d9a39814-0929-48e0-bfa7-750c4463a57c/8372079448.pdf
    • https://uploads.strikinglycdn.com/files/d4801783-57ed-4646-8360-61a194161136/sharp_inverter_air_conditioner_remote_control_manual.pdf
    • https://459ec6dd-5b69-4322-a182-74abbfaa0e48.filesusr.com/ugd/221eaa_83585b49a8de40d1bca9efcbbb0f8af0.pdf?index=true
    • https://ec8c99fd-5413-4e38-b6a0-2ccbba71fc6f.filesusr.com/ugd/de02f3_1b6e332d6b3e439e99c3d2115e70211c.pdf?index=true
    • https://uploads.strikinglycdn.com/files/bbd81de3-7cac-4236-a21c-d315ac230804/how_to_use_omron_thermometer.pdf
    • https://uploads.strikinglycdn.com/files/7a946726-bf01-4af0-a6b7-d8af638732dd/proform_505_cst_treadmill_buy.pdf
    • https://uploads.strikinglycdn.com/files/481ec2f6-b1d0-400d-a797-4aa07ecac4b3/46338813196.pdf
    • https://s3.amazonaws.com/kaxukok/lattissima_plus_vs_one.pdf
    • https://uploads.strikinglycdn.com/files/49c9f6be-d7e0-4bd4-81f6-8f40946baaef/wsjt-x_2.1.0_manual.pdf
    • https://uploads.strikinglycdn.com/files/cd491fba-3b08-4c5a-83ad-4961e1069f53/34678572473.pdf
    • https://s3.amazonaws.com/goveruduzewoxu/99097626400.pdf
    • https://abee6ad4-cf47-459a-954e-22b9b9bb30ad.filesusr.com/ugd/4bdc6d_40f7ce3f60fa497f9d18e7cef5753d91.pdf?index=true
    • https://s3.amazonaws.com/fatikonavori/omron_blood_pressure_monitor_android_app.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e203.bin
06be6f28cd7771866c4a945b4daa6d25f9c213b1096df08026b869304216a331		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE203 5348 bytes
font_01_sfnt_off0000f41d.bin
a465d99c67a9b84d2ec61093d4aac3f0227b43b1745b86eb91b58d07fc907145		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF41D 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.